We noticed that the executables provided by the server were always different and ran on the remote host for about 1 second.
Downloading more binaries we noted that the only differences in the binaries were the service port, the dimension of the buffer, and the number of bytes read.
These parameters were randomly generated, leading sometimes to a buffer overflow.
Hence, the idea was to query the server until a vulnerable executable is generated.

We grabbed libc from the server hosting Exploitables250 in the hope that it was the same also for this challenge, and it was. The challenge description stated ASLR had been disabled, so we did not need any memory leak to obtain a reference to the libc.

We wrote a bash script to download the executables, parse the output of objdump, grep the randomly generated parameters, and pass them to the python exploit.

The python exploit simply checks if the service is vulnerable and, if so, builds the ROP chain to execute system("/bin/sh").
We used ropper to find the gadgets in the libc.
Since our input was bound to the socket we called dup2 to attach the socket to stdin/stdout.